From 6f5e2c2cdcbdb9ea4aca71f0bde2a935d979da3f Mon Sep 17 00:00:00 2001
From: jessib <jessib@riseup.net>
Date: Tue, 6 Aug 2013 14:21:08 -0700
Subject: Some more tweaks to have billing code work, and allow admins to view
 but not edit for other users.

---
 billing/app/controllers/credit_card_info_controller.rb | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'billing/app/controllers/credit_card_info_controller.rb')

diff --git a/billing/app/controllers/credit_card_info_controller.rb b/billing/app/controllers/credit_card_info_controller.rb
index 75865fe..717fa18 100644
--- a/billing/app/controllers/credit_card_info_controller.rb
+++ b/billing/app/controllers/credit_card_info_controller.rb
@@ -3,7 +3,7 @@ class CreditCardInfoController < ApplicationController
 
   def edit
     @credit_card = Braintree::CreditCard.find(params[:id])
-    customer = Customer.find_by_user_id(current_user.id)
+    customer = Customer.find_by_user_id(@user.id)
     if customer and customer.braintree_customer_id == @credit_card.customer_id
       @tr_data = Braintree::TransparentRedirect.
         update_credit_card_data(:redirect_url => confirm_credit_card_info_url,
@@ -27,7 +27,8 @@ class CreditCardInfoController < ApplicationController
 
   private
 
-  def set_user
+    def set_user
+    # this assumes anybody, even an admin, will not access for another user.
     @user = current_user
   end
 
-- 
cgit v1.2.3